RestrictedPython is a defined subset of the Python language which allows to provide a program input into a trusted environment.
.. image:: https://github.com/zopefoundation/RestrictedPython/actions/workflows/tests.yml/badge.svg :target: https://github.com/zopefoundation/RestrictedPython/actions/workflows/tests.yml
.. image:: https://coveralls.io/repos/github/zopefoundation/RestrictedPython/badge.svg?branch=master :target: https://coveralls.io/github/zopefoundation/RestrictedPython?branch=master
.. image:: https://readthedocs.org/projects/restrictedpython/badge/ :target: https://restrictedpython.readthedocs.org/ :alt: Documentation Status
.. image:: https://img.shields.io/pypi/v/RestrictedPython.svg :target: https://pypi.org/project/RestrictedPython/ :alt: Current version on PyPI
.. image:: https://img.shields.io/pypi/pyversions/RestrictedPython.svg :target: https://pypi.org/project/RestrictedPython/ :alt: Supported Python versions
.. image:: https://github.com/zopefoundation/RestrictedPython/raw/master/docs/logo.jpg
RestrictedPython is a tool that helps to define a subset of the Python language which allows to provide a program input into a trusted environment. RestrictedPython is not a sandbox system or a secured environment, but it helps to define a trusted environment and execute untrusted code inside of it.
.. warning::
RestrictedPython only supports CPython. It does not support PyPy and other Python implementations as it cannot provide its restrictions there.
For full documentation please see http://restrictedpython.readthedocs.io/.
To give a basic understanding what RestrictedPython does here two examples:
Python allows you to execute a large set of commands. This would not harm any system.
.. code-block:: pycon
>>> from RestrictedPython import compile_restricted
>>> from RestrictedPython import safe_globals
>>>
>>> source_code = """
... def example():
... return 'Hello World!'
... """
>>>
>>> loc = {}
>>> byte_code = compile_restricted(source_code, '<inline>', 'exec')
>>> exec(byte_code, safe_globals, loc)
>>>
>>> loc['example']()
'Hello World!'
This example directly executed in Python could harm your system.
.. code-block:: pycon
>>> from RestrictedPython import compile_restricted
>>> from RestrictedPython import safe_globals
>>>
>>> source_code = """
... import os
...
... os.listdir('/')
... """
>>> byte_code = compile_restricted(source_code, '<inline>', 'exec')
>>> exec(byte_code, safe_globals, {})
Traceback (most recent call last):
ImportError: __import__ not found
If you want to help maintain RestrictedPython and contribute, please refer to
the documentation Contributing page <https://restrictedpython.readthedocs.io/en/latest/contributing/index.html>
_.
Backwards incompatible changes ++++++++++++++++++++++++++++++
Features ++++++++
Fixes +++++
Prevent DeprecationWarnings from ast.Str
and ast.Num
on Python 3.12
Forbid using some attributes providing access to restricted Python internals. (CVE-2023-37271)
Fix information disclosure problems through Python's "format" functionality
(format
and format_map
methods on str
and its instances,
string.Formatter
). (CVE-2023-41039)
Backwards incompatible changes ++++++++++++++++++++++++++++++
Features ++++++++
Officially support Python 3.11.
Allow to use the Python 3.11 feature of exception groups and except* (PEP 654).
Document that __name__
is needed to define classes.
Add support for Python 3.10. Auditing the Python 3.10 change log did not reveal any changes which require actions in RestrictedPython.
Avoid deprecation warnings when using Python 3.8+.
(#192 <https://github.com/zopefoundation/RestrictedPython/issues/192>
_)
Features ++++++++
Add support for (Python 3.8+) assignment expressions (i.e. the :=
operator)
Add support for Python 3.9 after checking the security implications of the syntax changes made in that version.
Add support for the bytes
and sorted
builtins
(#186 <https://github.com/zopefoundation/RestrictedPython/issues/186>
_)
Documentation +++++++++++++
Document parameter mode
for the compile_restricted
functions
(#157 <https://github.com/zopefoundation/RestrictedPython/issues/157>
_)
Fix documentation for compile_restricted_function
(#158 <https://github.com/zopefoundation/RestrictedPython/issues/158>
_)
Fixes +++++
Fix compile_restricted_function
with SyntaxErrors that have no text
(#181 <https://github.com/zopefoundation/RestrictedPython/issues/181>
_)
Drop install dependency on setuptools
.
(#189 <https://github.com/zopefoundation/RestrictedPython/issues/189>
_)
Breaking changes ++++++++++++++++
...
(Ellipsis) statement, as of 4.0. It is
not needed to support Python 3.8.
The security implications of the Ellipsis Statement is not 100 % clear and is
not checked. ...
(Ellipsis) is disallowed again.Features ++++++++
#123 <https://github.com/zopefoundation/RestrictedPython/issues/123>
_)Changes since 3.6.0:
Breaking changes ++++++++++++++++
The compile_restricted*
functions now return a
namedtuple CompileResult
instead of a simple tuple
.
Drop the old implementation of version 3.x: RCompile.py
,
SelectCompiler.py
, MutatingWorker.py
, RestrictionMutator.py
and
tests/verify.py
.
Drop support for long-deprecated sets
module.
Security related issues +++++++++++++++++++++++
RestrictedPython now ships with a default implementation for
_getattr_
which prevents from using the format()
method on
str/unicode as it is not safe, see:
http://lucumr.pocoo.org/2016/12/29/careful-with-str-format/
Caution: If you do not already have secured the access to this
format()
method in your _getattr_
implementation use
RestrictedPython.Guards.safer_getattr()
in your implementation to
benefit from this fix.
Features ++++++++
Mostly complete rewrite based on Python AST module. [loechel (Alexander Loechel), icemac (Michael Howitz), stephan-hof (Stephan Hofmockel), tlotze (Thomas Lotze)]
Add support for Python 3.5, 3.6, 3.7.
Add preliminary support for Python 3.8. as of 3.8.0a3 is released.
Warn when using another Python implementation than CPython as it is not safe to use RestrictedPython with other versions than CPyton. See https://bitbucket.org/pypy/pypy/issues/2653 for PyPy.
Allow the ...
(Ellipsis) statement. It is needed to support Python 3.8.
Allow yield
and yield from
statements.
Generator functions would now work in RestrictedPython.
Allow the following magic methods to be defined on classes.
(#104 <https://github.com/zopefoundation/RestrictedPython/issues/104>
_)
They cannot be called directly but by the built-in way to use them (e. g.
class instantiation, or comparison):
__init__
__contains__
__lt__
__le__
__eq__
__ne__
__gt__
__ge__
Imports like from a import *
(so called star imports) are now forbidden
as they allow to import names starting with an underscore which could
override protected build-ins.
(#102 <https://github.com/zopefoundation/RestrictedPython/issues/102>
_)
Allow to use list comprehensions in the default implementation of
RestrictionCapableEval.eval()
.
Switch to pytest as test runner.
Bring test coverage to 100 %.
Bug fixes +++++++++
.Guards.safer_getattr
to prevent accessing names starting with
underscore.
(#142 <https://github.com/zopefoundation/RestrictedPython/issues/142>
_)Add name check for names assigned during imports using the
from x import y
format.
Add test for name check when assigning an alias using multiple-context
with
statements in Python 2.7.
Add tests for protection of the iterators for dict and set comprehensions in Python 2.7.
DocumentTemplate.sequence
- this is handled in the
DocumentTemplate package itself.zope.testing
.Add tests for Utilities
module.
Filter DeprecationWarnings when importing Python's sets
module.
__future__
imports
of nested_scopes
/ generators
.).Fix deprecation warning: with
is now a reserved keyword on
Python 2.6. That means RestrictedPython should run on Python 2.6
now. Thanks to Ranjith Kannikara, GSoC Student for the patch.
Add tests for ternary if expression and for with
keyword and
context managers.
Changed homepage URL to the PyPI site
Improve README.txt
.
RestrictedPython now has its own release cycle as a separate project.
Synchronized with RestrictedPython from Zope 2 tree.
Corresponds to the verison of the RestrictedPython package shipped as part of the Zope 3.2.0 release.
No changes from 3.1.0.
Corresponds to the verison of the RestrictedPython package shipped as part of the Zope 3.1.0 release.
Remove unused fossil module, SafeMapping
.
Replaced use of deprecated whrandom
module with random
(aliased
to whrandom
for backward compatibility).